SlideShare ist ein Scribd-Unternehmen logo

OAuth FTW

Chris Messina
Chris Messina

OAuth is an open protocol that allows secure API authorization through a simple authorization method. It replaces the need for usernames and passwords with tokens and signatures. This allows users to manage third party access to their account without having to change their main password. Many companies have adopted OAuth due to its security and ability to revoke access without changing primary login credentials. Code libraries exist for a variety of programming languages to make OAuth integration easier.

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
(FOR THE WIN) OAuth FTW How OAuth and portable data can revolutionize your web app Chris Messina October 10, 2008 Future of Web Apps London, England
OAuth |ō| |ôˌθ| Noun. An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
The story of OAuth starts with OpenID.
 factoryjoe.com
factoryjoe.com ?! X
! 
factoryjoe.com ? X Can has OpenID?
X (APPLICATION PROGRAMMING INTERFACE) B-b-but what about API apps?
?
!?!
How much are your username and password worth?
wayn.com
imeem.com
 PC Load Letter?! What the f...!
The Password Anti-pattern!
Passwords are not confetti.
Please stop throwing them around.
Especially if they’re not yours.
 OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
let’s take a look
Brightkite > pings Fire Eagle for Request Token Fire Eagle > returns authorization realm
Brightkite > requests that user authorize Brightkite Fire Eagle > user authenticates through Yahoo! accounts
Fire Eagle > user grants authorization to Brightkite Fire Eagle > Fire Eagle redirects user to callback URL
Brightkite > asks FE to exchange Request Token for Access Token Fire Eagle > checks signature; if valid, returns Access Token ...subsequent requests are signed with this Access Token
users can manage access...
...and change access
or can revoke access later without having to change their primary account password (i.e. if they lose their phone or their computer gets stolen)
?
discovery
Identity -› Discovery -› Authorization
OpenID -› XRDS-Simple -› OAuth Endpoint (EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
Identity -› Discovery -› [Authentication] -› Authorization
http://will.norris.name <meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://will.norris.name/?xrdsquot; />
OpenID XRDS <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>
XRDS-Simple for Portable Contacts <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>
XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
adoption
•OpenSocial •Meetup.com •MySpace •Ma.gnolia •Google •Get Satisfaction •Yahoo! (Fire Eagle) •Agree2 •Netflix •SoundCloud •SmugMug •88Miles •Photobucket •Pownce •Plaxo •Brightkite •Soocial.com •Praized http://wiki.oauth.net/ServiceProviders
code
•C# •OCaml •Coldfusion •Perl •Java •PHP •Javascript •CakePHP •Jifty •Python •.NET •Ruby •Objective-C •...interest in XMPP http://oauth.net/code
the pitch
fin. oauth.net me -› factoryjoe.com

Empfohlen

Back to school night10 11
Back to school night10 11Back to school night10 11
Back to school night10 11
Derrall Garrison
 
Backtoschoolnight14 15
Backtoschoolnight14 15 Backtoschoolnight14 15
Backtoschoolnight14 15
Derrall Garrison
 
Backtoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrisonBacktoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrison
Derrall Garrison
 
Water wonders
Water wondersWater wonders
Water wonders
Derrall Garrison
 
Epw presentation
Epw presentationEpw presentation
Epw presentation
Derrall Garrison
 
The DiSo Project
The DiSo ProjectThe DiSo Project
The DiSo Project
Chris Messina
 
Btsn 2016 2017
Btsn 2016 2017Btsn 2016 2017
Btsn 2016 2017
Derrall Garrison
 
The DiSo Project and the Open Web
The DiSo Project and the Open WebThe DiSo Project and the Open Web
The DiSo Project and the Open Web
Chris Messina
 

Empfohlen

Back to school night10 11
Back to school night10 11Back to school night10 11
Back to school night10 11
Derrall Garrison
 
Backtoschoolnight14 15
Backtoschoolnight14 15 Backtoschoolnight14 15
Backtoschoolnight14 15
Derrall Garrison
 
Backtoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrisonBacktoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrison
Derrall Garrison
 
Water wonders
Water wondersWater wonders
Water wonders
Derrall Garrison
 
Epw presentation
Epw presentationEpw presentation
Epw presentation
Derrall Garrison
 
The DiSo Project
The DiSo ProjectThe DiSo Project
The DiSo Project
Chris Messina
 
Btsn 2016 2017
Btsn 2016 2017Btsn 2016 2017
Btsn 2016 2017
Derrall Garrison
 
The DiSo Project and the Open Web
The DiSo Project and the Open WebThe DiSo Project and the Open Web
The DiSo Project and the Open Web
Chris Messina
 
Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript Developers
AndreCharland
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Los Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert SessionLos Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert Session
Peter Lubbers
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros Developer
Nyros Technologies
 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
sullis
 
GTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementationGTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementation
David Calavera
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
m j
 
Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3
Alex Kavanagh
 
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
Jacob Gyllenstierna
 
Google Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocialGoogle Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocial
Patrick Chanezon
 
Widgets Tools Keynote
Widgets Tools KeynoteWidgets Tools Keynote
Widgets Tools Keynote
Michael Mahemoff
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
Chris Swan
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
Joseph Scott
 
BNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demoBNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demo
BookNet Canada
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
marpierc
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
Tatsuo Kudo
 
Uber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee WebcastUber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee Webcast
Chris Messina
 
Joining the conversation
Joining the conversationJoining the conversation
Joining the conversation
Chris Messina
 

Weitere ähnliche Inhalte

Ähnlich wie OAuth FTW

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
GTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementationGTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementation
David Calavera
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman
 
BNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demoBNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demo
BookNet Canada
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
marpierc
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 

Ähnlich wie OAuth FTW (20)

Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript Developers
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Los Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert SessionLos Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert Session
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros Developer
 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
 
GTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementationGTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementation
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
 
Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3
 
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
 
Google Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocialGoogle Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocial
 
Widgets Tools Keynote
Widgets Tools KeynoteWidgets Tools Keynote
Widgets Tools Keynote
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
 
BNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demoBNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demo
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
 

Mehr von Chris Messina

Joining the conversation
Joining the conversationJoining the conversation
Joining the conversation
Chris Messina
 
Joining the Conversation
Joining the ConversationJoining the Conversation
Joining the Conversation
Chris Messina
 
SWAT0 (variant flow)
SWAT0 (variant flow)SWAT0 (variant flow)
SWAT0 (variant flow)
Chris Messina
 
Identity is the platform (Toronto)
Identity is the platform (Toronto)Identity is the platform (Toronto)
Identity is the platform (Toronto)
Chris Messina
 
Openness In The Era Of Social Web
Openness In The Era Of Social WebOpenness In The Era Of Social Web
Openness In The Era Of Social Web
Chris Messina
 

Mehr von Chris Messina (20)

Uber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee WebcastUber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee Webcast
 
Joining the conversation
Joining the conversationJoining the conversation
Joining the conversation
 
Joining the Conversation
Joining the ConversationJoining the Conversation
Joining the Conversation
 
Future of the Social Web and How to Stop It
Future of the Social Web and How to Stop ItFuture of the Social Web and How to Stop It
Future of the Social Web and How to Stop It
 
SWAT0 (variant flow)
SWAT0 (variant flow)SWAT0 (variant flow)
SWAT0 (variant flow)
 
Google & the open, social web
Google & the open, social webGoogle & the open, social web
Google & the open, social web
 
OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3
OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3
OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3
 
Socialism, Activity Streams, & Federating The Social Web
Socialism, Activity Streams, & Federating The Social WebSocialism, Activity Streams, & Federating The Social Web
Socialism, Activity Streams, & Federating The Social Web
 
Activity Streams, Socialism, & the Future of Open Source
Activity Streams, Socialism, & the Future of Open SourceActivity Streams, Socialism, & the Future of Open Source
Activity Streams, Socialism, & the Future of Open Source
 
The Open and Social Web
The Open and Social WebThe Open and Social Web
The Open and Social Web
 
The Future of the Social Web and How to Stop It
The Future of the Social Web and How to Stop ItThe Future of the Social Web and How to Stop It
The Future of the Social Web and How to Stop It
 
Google and the Social Web (Mexico City Dev Fest 2010)
Google and the Social Web (Mexico City Dev Fest 2010)Google and the Social Web (Mexico City Dev Fest 2010)
Google and the Social Web (Mexico City Dev Fest 2010)
 
ActivityStrea.ms: Is It Getting Streamy In Here?
ActivityStrea.ms: Is It Getting Streamy In Here?ActivityStrea.ms: Is It Getting Streamy In Here?
ActivityStrea.ms: Is It Getting Streamy In Here?
 
Identity is the platform (Netflix)
Identity is the platform (Netflix)Identity is the platform (Netflix)
Identity is the platform (Netflix)
 
Identity is the platform (Toronto)
Identity is the platform (Toronto)Identity is the platform (Toronto)
Identity is the platform (Toronto)
 
Identity is the Platform (Russian variant)
Identity is the Platform (Russian variant)Identity is the Platform (Russian variant)
Identity is the Platform (Russian variant)
 
Identity is the Platform
Identity is the PlatformIdentity is the Platform
Identity is the Platform
 
The Open, Social Web Workshop
The Open, Social Web WorkshopThe Open, Social Web Workshop
The Open, Social Web Workshop
 
Social Network Supermarkets and How to Defeat Them
Social Network Supermarkets and How to Defeat ThemSocial Network Supermarkets and How to Defeat Them
Social Network Supermarkets and How to Defeat Them
 
Openness In The Era Of Social Web
Openness In The Era Of Social WebOpenness In The Era Of Social Web
Openness In The Era Of Social Web
 

Kürzlich hochgeladen

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 

Kürzlich hochgeladen (20)

Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 

OAuth FTW

  • 1. (FOR THE WIN) OAuth FTW How OAuth and portable data can revolutionize your web app Chris Messina October 10, 2008 Future of Web Apps London, England
  • 2. OAuth |ō| |ôˌθ| Noun. An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
  • 3. The story of OAuth starts with OpenID.
  • 7. factoryjoe.com ? X Can has OpenID?
  • 8. X (APPLICATION PROGRAMMING INTERFACE) B-b-but what about API apps?
  • 9.
  • 10. ?
  • 11. !?!
  • 12. How much are your username and password worth?
  • 14.
  • 16.
  • 17.
  • 18. PC Load Letter?! What the f...!
  • 20. Passwords are not confetti.
  • 21. Please stop throwing them around.
  • 23.  OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
  • 25. Brightkite > pings Fire Eagle for Request Token Fire Eagle > returns authorization realm
  • 26. Brightkite > requests that user authorize Brightkite Fire Eagle > user authenticates through Yahoo! accounts
  • 27. Fire Eagle > user grants authorization to Brightkite Fire Eagle > Fire Eagle redirects user to callback URL
  • 28. Brightkite > asks FE to exchange Request Token for Access Token Fire Eagle > checks signature; if valid, returns Access Token ...subsequent requests are signed with this Access Token
  • 29. users can manage access...
  • 31. or can revoke access later without having to change their primary account password (i.e. if they lose their phone or their computer gets stolen)
  • 32. ?
  • 34. Identity -› Discovery -› Authorization
  • 35. OpenID -› XRDS-Simple -› OAuth Endpoint (EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
  • 36. Identity -› Discovery -› [Authentication] -› Authorization
  • 38. OpenID XRDS <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  • 39. XRDS-Simple for Portable Contacts <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  • 40. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  • 41. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  • 43. •OpenSocial •Meetup.com •MySpace •Ma.gnolia •Google •Get Satisfaction •Yahoo! (Fire Eagle) •Agree2 •Netflix •SoundCloud •SmugMug •88Miles •Photobucket •Pownce •Plaxo •Brightkite •Soocial.com •Praized http://wiki.oauth.net/ServiceProviders
  • 44. code
  • 45. •C# •OCaml •Coldfusion •Perl •Java •PHP •Javascript •CakePHP •Jifty •Python •.NET •Ruby •Objective-C •...interest in XMPP http://oauth.net/code
  • 47. fin. oauth.net me -› factoryjoe.com